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AMENDMENTS TO THE CLAIMS 

Upon entry of this amendment, the following listing of claims will replace all prior 
versions and listings of claims in the pending application. 

IN THE CLAIMS 

Please amend claims 1, 27 and 29 and add new claims 30-33 as follows: 

1 . (Currently Amended) A method for providing secure access to applications, the 
method comprising the steps of: 

(a) receiving a request from a user to execute an application; 

(b) determining a minimal set of computing privileges necessary for the user to 
use the requested application; and 

(c) invoking an execution environment for the user having the determined set of 
privileges. 

2. (Original) The method of claim 1, comprising the further step of: returning an 
identifier for the execution environment to the requesting user. 

3. (Original) The method of claim 2, wherein the identifier is used to using the 
identifier and a remote presentation level protocol to connect the user to the execution 
environment. 

4. (Original) The method of claim 1 wherein step (a) comprises receiving an 
HTTP -based request from a user to execute an application. 

5. (Original) The method of claim 1 wherein step (b) comprises accessing a 
policy-based decision system to determine a minimal set of computing privileges 
necessary for the user to use the requested application. 

6. (Original) The method of claim 1 wherein step (b) comprises analyzing 
requirements of an application to determine a minimal set of privileges necessary for the 
user to use the requested application. 
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7. (Original) The method of claim 1 further comprising the step of receiving an 
indication of a dataset on which the application operates. 

8. (Original) The method of claim 5 wherein step (b) comprises accessing a 
confidentiality policy associated with the identified dataset to determine a minimal set of 
computing privileges necessary for the user to use the requested application. 

9. (Original) The method of claim 1 wherein step (b) further comprises 
determining a minimal set of computing privileges necessary for the user to use the 
requested application based, at least in part, on a role assigned to the user. 

10. (Original) The method of claim 1 wherein step (c) further comprises creating 
an execution environment for the user having the determined set of privileges. 

1 1 . (Original) The method of claim 1 wherein step (c) further comprises 
identifying a previously-existing execution environment for the user having the 
determined set of privileges. 

12. (Original) The method of claim 1 further comprising the step of receiving 
from the user a request to execute a second application. 

13. (Original) The method of claim 10 further comprising the steps of: 
determining a minimal set of computing privileges necessary for the user to use the 
second requested application; and invoking a second execution environment for the user 
having the second determined set of privileges. 

14. (Original) The method of claim 1 further comprising the steps of initiating a 
connection with a client system associated with the user. 

15. (Original) An application server system providing secure access to hosted 
applications, the system comprising: 

a policy based decision system receiving a request from a user to execute an 
application and determining a minimal set of privileges required by the user to execute 
the application; and 

an account administration service in communication with said policy based 
decision system, the account administration service invoking an execution environment 
for the user having the determined set of privileges. 

3 
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16. (Original) The system of claim 15 further comprising a connection manager 
in communication with said policy based decision system, said connection manager 
receiving from a client system a request by the user to execute the application and 
transmitting to said policy based decision system an identification of said user and an 
identification of said application. 

17. (Original) The system of claim 16 wherein said connection manager 
communicates with the client using a presentation level protocol. 

18. (Original) The system of claim 17 wherein said presentation-level protocol is 
selected from the group consisting of RDP, ICA, and X. 

19. (Original) The system of claim 15 wherein said connection manager transmits 
an identification of the user's role to said policy based decision system. 

20. (Original) The system of claim 1 5 wherein said policy-based decision system 
is based on a declared plurality of rules. 

21. (Original) The system of claim 15 wherein said policy-based decision system 
analyzes a set of requirements of the requested application to determine a minimal set of 
privileges required by the user to execute the requested application. 

22. (Original) The system of claim 15 wherein said connection manager receives 
an identification of a dataset that the application will process. 

23. (Original) The system of claim 18 wherein said policy based decision system 
accesses a confidentiality policy associate with the identified dataset to determine a 
minimal set of privileges required by the user to execute the application. 

24. (Original) The system of claim 15 wherein said account administration 
service creates an execution environment having the determined minimal set of privileges. 

25. (Original) The system of claim 15 wherein said account administration 
service identifies a previously-existing execution environment having the determined 
minimal set of privileges. 
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26. (Original) An article of manufacture having embodied thereon computer- 
readable program means for providing secure access to applications, the article of 
manufacture comprising: 

computer-readable program means for receiving a request from a user to execute 
an application; 

computer-readable program means for determining a minimal set of computing 
privileges necessary for the user to use the requested application; and 

computer-readable program means for invoking an execution environment for the 
user having the determined set of privileges. 

27. (Currently Amended) The article of manufacture of claim 27 26 further 
comprising computer-readable program means for accessing a policy-based decision 
system to determine a minimal set of computing privileges necessary for the user to use 
the requested application. 

28. (Original) The article of manufacture of claim 27 further comprising 
computer-readable program means for determining a minimal set of computing privileges 
necessary for the user to use the requested application based, at least in part, on a role 
assigned to the user. 

29. (Currently Amended) An application server system providing secure access to 
hosted applications, the system comprising: 

a policy based decision system receiving a request from a user to execute an 
application and determining a minimal set of privileges required by the user to execute 
the application; 

an account administration service in communication with said policy based 
decision system, the account administration service invoking an execution environment 
for the user having the determined set of privileges; and 

a connection manager in communication with said policy based decision system, 
said connection manager receiving from a client system the an RDP r equest by the user to 
execute the application and transmitting to said policy based decision system an 
identification of said user and an identification of said application. 
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30. (New) The method of claim 1, wherein step (b) further comprises determining in 
response to the request the minimal set of computing privileges necessary for the user to 
use the requested application 

3 1 . (New) The system of claim 15, wherein the policy-based decision system 
determines the minimal set of privileges required by the user to execute the application in 
response to the request. 

32. (New) The article of manufacture of claim 26, wherein the computer-readable 
program means for determining the minimal set of computing privileges necessary for the 
user to use the requested application is responsive to the request. 

33. (New) The system of claim 29, wherein the policy-based decision system 
determines the minimal set of privileges required by the user to execute the application in 
response to the request. 
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